---
title: "Auth & Credentials"
sidebarTitle: "Auth & Credentials"
description: ""
icon: "key"
---

By default, Subtrace redacts all known authorization credentials from every
request. To change this behaviour, set the `authCredentials` field in your
config YAML file. Here's an example:

```yaml
# The default value is "redact". By setting this field's value to "keep", we're
# overriding the behavior so that Subtrace keeps all credentials unmodified.
authCredentials: "keep"

# ...the rest of your config
tags:
  service: foo
```

To use the config file, set the `--config` command line flag when starting
Subtrace:

```bash
subtrace run --config=/path/to/subtrace.yaml -- node app.js
```

This option affects the following HTTP headers across all requests:

- `Cookie` header on the request
- `Set-Cookie` header on the response
- `Authorization` header on the response

The following values are allowed:

- `redact` will redact the auth credential completely (default).
- `hash` will replace the value with a SHA256 hash of the original value (see below).
- `keep` will trace the full auth credential string in cleartext (NOT recommended).

## Using `authCredentials: "hash"`

The `authCredentials: "hash"` allows you to cross-match credentials across
different requests safely without storing raw auth credentials in cleartext.
For example, let's say a client makes an API call with following request
header:

```
Authorization: Bearer my-secret-api-key-1234
```

Setting `authCredentials: "hash"` will hash the value when the request is traced:

```
Authorization: <redacted:sha256:a4281572876fbe0eb4780386c435bd8be7bc36136a98e90a68a0af3837f27483>
```

Two requests using the same `Authorization` header will have the same redacted
hash. If you know the original API key, you can also compute the hash yourself
using the `sha256sum` command:

```
$ echo -n "Bearer my-secret-api-key-1234" | sha256sum
a4281572876fbe0eb4780386c435bd8be7bc36136a98e90a68a0af3837f27483  -
```
